ai-agent-config 2.6.6 → 2.7.1

package/README.md

@@ -61,14 +61,14 @@ ai-agent update
 
 ## Supported Platforms
 
-| Platform | Skills Path |
-|----------|-------------|
-| Claude Code | `~/.claude/skills/` |
-| Antigravity IDE | `~/.gemini/antigravity/skills/` |
-| Cursor | `~/.cursor/skills/` |
-| Windsurf | `~/.windsurf/skills/` |
-| Codex CLI | `~/.codex/skills/` |
-| GitHub Copilot | `~/.github/copilot-instructions.md` |
+| Platform | Skills Path | MCP Support |
+|----------|-------------|-------------|
+| Claude Code | `~/.claude/skills/` | `claude_desktop_config.json` |
+| Antigravity IDE | `~/.gemini/antigravity/skills/` | `mcp_config.json` |
+| Cursor | `~/.cursor/skills/` | - |
+| Windsurf | `~/.windsurf/skills/` | - |
+| Codex CLI | `~/.codex/skills/` | - |
+| GitHub Copilot | `~/.github/copilot-instructions.md` | - |
 
 ## Secret Management
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-agent-config",
-  "version": "2.6.6",
+  "version": "2.7.1",
   "description": "Universal skill & workflow manager for AI coding assistants with bi-directional GitHub sync",
   "main": "index.js",
   "bin": {

package/scripts/installer.js

@@ -233,10 +233,10 @@ function installToPlatform(platform, options = {}) {
     }
   }
 
-  // Install MCP servers (Antigravity only for now)
-  if (platform.name === "antigravity") {
+  // Install MCP servers to platforms with MCP support
+  if (platform.mcpConfigPath) {
     try {
-      results.mcpServers = mcpInstaller.installMcpServers({ force });
+      results.mcpServers = mcpInstaller.installMcpServers({ force, platform });
     } catch (error) {
       console.warn(`  ⚠️  MCP install failed: ${error.message}`);
     }

package/scripts/mcp-installer.js

@@ -110,116 +110,150 @@ function collectBitwardenEnvs() {
 }
 
 /**
- * Install MCP servers to Antigravity's mcp_config.json
- * This is the "pull" flow - installs structure without resolved secrets
- * @param {Object} options - { force: boolean }
- * @returns {{ added: number, skipped: number, servers: string[] }}
+ * Write MCP servers to a platform's config file
+ * @param {string} configPath - Path to platform's MCP config file
+ * @param {Array} servers - MCP server configs to install
+ * @param {Object} options - { force, platformName }
+ * @returns {{ added: number, skipped: number }}
  */
-function installMcpServers(options = {}) {
-    const { force = false } = options;
-    const antigravity = platforms.getByName("antigravity");
-
-    if (!antigravity || !antigravity.mcpConfigPath) {
-        return { added: 0, skipped: 0, servers: [] };
-    }
-
-    const servers = getAvailableMcpServers().filter((s) => s.enabled !== false);
-    if (servers.length === 0) {
-        return { added: 0, skipped: 0, servers: [] };
-    }
+function writeMcpToPlatformConfig(configPath, servers, options = {}) {
+    const { force = false, platformName = "" } = options;
 
-    // Read existing mcp_config.json
-    let mcpConfig = { mcpServers: {} };
-    if (fs.existsSync(antigravity.mcpConfigPath)) {
+    // Read existing config — preserve ALL existing keys (e.g. Claude's "preferences")
+    let config = { mcpServers: {} };
+    if (fs.existsSync(configPath)) {
         try {
-            mcpConfig = JSON.parse(fs.readFileSync(antigravity.mcpConfigPath, "utf-8"));
-            if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {};
+            config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+            if (!config.mcpServers) config.mcpServers = {};
         } catch {
-            mcpConfig = { mcpServers: {} };
+            config = { mcpServers: {} };
         }
     }
 
     let added = 0;
     let skipped = 0;
-    const serverNames = [];
 
     for (const server of servers) {
-        const existing = mcpConfig.mcpServers[server.name];
+        const existing = config.mcpServers[server.name];
 
         if (existing && !force) {
             skipped++;
-            serverNames.push(server.name);
             continue;
         }
 
-        // Build server entry for Antigravity format
         const entry = {
             command: server.command,
             args: server.args,
         };
 
-        // Preserve existing env if not forcing
+        // Preserve existing env
         if (existing && existing.env) {
             entry.env = existing.env;
         }
 
-        if (server.disabledTools && server.disabledTools.length > 0) {
+        // disabledTools: only add for platforms that support it (not Claude)
+        if (platformName !== "claude" && server.disabledTools && server.disabledTools.length > 0) {
             entry.disabledTools = server.disabledTools;
         }
 
-        mcpConfig.mcpServers[server.name] = entry;
+        config.mcpServers[server.name] = entry;
         added++;
-        serverNames.push(server.name);
     }
 
-    // Write back
+    // Write back (create directory if needed)
     if (added > 0) {
-        const configDir = path.dirname(antigravity.mcpConfigPath);
+        const configDir = path.dirname(configPath);
         if (!fs.existsSync(configDir)) {
             fs.mkdirSync(configDir, { recursive: true });
         }
-        fs.writeFileSync(antigravity.mcpConfigPath, JSON.stringify(mcpConfig, null, 2) + "\n", "utf-8");
+        fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+        // Set restrictive permissions (owner read/write only) to protect secrets
+        // Only on Unix-like systems (macOS, Linux) - Windows uses ACL instead
+        if (process.platform !== "win32") {
+            try {
+                fs.chmodSync(configPath, 0o600);
+            } catch (e) {
+                console.warn(`⚠️  Warning: Could not set file permissions on ${configPath}: ${e.message}`);
+            }
+        }
     }
 
-    return { added, skipped, servers: serverNames };
+    return { added, skipped };
 }
 
 /**
- * Install MCP servers with resolved secrets to Antigravity
- * This is the "secrets sync" flow - updates env with real values
- * @param {Object} resolvedSecrets - Map of envVar → resolvedValue
- * @returns {{ installed: number, servers: Array<{ name: string, secretsCount: number }> }}
+ * Install MCP servers to platforms' config files
+ * This is the "pull" flow - installs structure without resolved secrets
+ * @param {Object} options - { force: boolean, platform: Object|null }
+ * @returns {{ added: number, skipped: number, servers: string[] }}
  */
-function installMcpServersWithSecrets(resolvedSecrets) {
-    const antigravity = platforms.getByName("antigravity");
+function installMcpServers(options = {}) {
+    const { force = false, platform = null } = options;
 
-    if (!antigravity || !antigravity.mcpConfigPath) {
-        return { installed: 0, servers: [] };
+    const servers = getAvailableMcpServers().filter((s) => s.enabled !== false);
+    if (servers.length === 0) {
+        return { added: 0, skipped: 0, servers: [] };
     }
 
-    const allServers = getAvailableMcpServers().filter((s) => s.enabled !== false);
-    if (allServers.length === 0) {
-        return { installed: 0, servers: [] };
+    // Determine target platforms
+    const targetPlatforms = [];
+    if (platform) {
+        // Single platform specified
+        if (platform.mcpConfigPath) targetPlatforms.push(platform);
+    } else {
+        // All detected platforms with MCP support
+        for (const p of platforms.detectAll()) {
+            const full = platforms.getByName(p.name);
+            if (full && full.mcpConfigPath) targetPlatforms.push(full);
+        }
     }
 
-    // Read existing mcp_config.json
-    let mcpConfig = { mcpServers: {} };
-    if (fs.existsSync(antigravity.mcpConfigPath)) {
+    if (targetPlatforms.length === 0) {
+        return { added: 0, skipped: 0, servers: [] };
+    }
+
+    let totalAdded = 0;
+    let totalSkipped = 0;
+    const serverNames = [...new Set(servers.map((s) => s.name))];
+
+    for (const p of targetPlatforms) {
+        const result = writeMcpToPlatformConfig(p.mcpConfigPath, servers, {
+            force,
+            platformName: p.name,
+        });
+        totalAdded += result.added;
+        totalSkipped += result.skipped;
+    }
+
+    return { added: totalAdded, skipped: totalSkipped, servers: serverNames };
+}
+
+/**
+ * Write MCP servers with resolved secrets to a platform's config file
+ * @param {string} configPath - Path to platform's MCP config file
+ * @param {Array} servers - MCP server configs
+ * @param {Object} resolvedSecrets - Map of bitwardenItem → resolvedValue
+ * @param {string} platformName - Platform name for disabledTools handling
+ * @returns {{ installed: number, servers: Array<{ name: string, secretsCount: number }> }}
+ */
+function writeMcpWithSecretsToPlatformConfig(configPath, servers, resolvedSecrets, platformName) {
+    // Read existing config — preserve ALL existing keys
+    let config = { mcpServers: {} };
+    if (fs.existsSync(configPath)) {
         try {
-            mcpConfig = JSON.parse(fs.readFileSync(antigravity.mcpConfigPath, "utf-8"));
-            if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {};
+            config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+            if (!config.mcpServers) config.mcpServers = {};
         } catch {
-            mcpConfig = { mcpServers: {} };
+            config = { mcpServers: {} };
         }
     }
 
     let installed = 0;
     const serverResults = [];
 
-    for (const server of allServers) {
-        const existing = mcpConfig.mcpServers[server.name] || {};
+    for (const server of servers) {
+        const existing = config.mcpServers[server.name] || {};
 
-        // Build entry: keep existing custom fields (disabledTools user may have customized)
         const entry = {
             command: server.command,
             args: server.args,
@@ -246,29 +280,80 @@ function installMcpServersWithSecrets(resolvedSecrets) {
             serverResults.push({ name: server.name, secretsCount: 0 });
         }
 
-        // Preserve user-customized disabledTools from existing config
-        if (existing.disabledTools) {
-            entry.disabledTools = existing.disabledTools;
-        } else if (server.disabledTools && server.disabledTools.length > 0) {
-            entry.disabledTools = server.disabledTools;
+        // disabledTools: only for platforms that support it (not Claude)
+        if (platformName !== "claude") {
+            if (existing.disabledTools) {
+                entry.disabledTools = existing.disabledTools;
+            } else if (server.disabledTools && server.disabledTools.length > 0) {
+                entry.disabledTools = server.disabledTools;
+            }
         }
 
-        mcpConfig.mcpServers[server.name] = entry;
+        config.mcpServers[server.name] = entry;
         installed++;
     }
 
     // Write back
     if (installed > 0) {
-        const configDir = path.dirname(antigravity.mcpConfigPath);
+        const configDir = path.dirname(configPath);
         if (!fs.existsSync(configDir)) {
             fs.mkdirSync(configDir, { recursive: true });
         }
-        fs.writeFileSync(antigravity.mcpConfigPath, JSON.stringify(mcpConfig, null, 2) + "\n", "utf-8");
+        fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+        // Set restrictive permissions (owner read/write only) to protect secrets
+        // Only on Unix-like systems (macOS, Linux) - Windows uses ACL instead
+        if (process.platform !== "win32") {
+            try {
+                fs.chmodSync(configPath, 0o600);
+            } catch (e) {
+                console.warn(`⚠️  Warning: Could not set file permissions on ${configPath}: ${e.message}`);
+            }
+        }
     }
 
     return { installed, servers: serverResults };
 }
 
+/**
+ * Install MCP servers with resolved secrets to all MCP-capable platforms
+ * This is the "secrets sync" flow - updates env with real values
+ * @param {Object} resolvedSecrets - Map of bitwardenItem → resolvedValue
+ * @returns {{ installed: number, servers: Array<{ name: string, secretsCount: number }> }}
+ */
+function installMcpServersWithSecrets(resolvedSecrets) {
+    const allServers = getAvailableMcpServers().filter((s) => s.enabled !== false);
+    if (allServers.length === 0) {
+        return { installed: 0, servers: [] };
+    }
+
+    // All detected platforms with MCP support
+    const targetPlatforms = [];
+    for (const p of platforms.detectAll()) {
+        const full = platforms.getByName(p.name);
+        if (full && full.mcpConfigPath) targetPlatforms.push(full);
+    }
+
+    if (targetPlatforms.length === 0) {
+        return { installed: 0, servers: [] };
+    }
+
+    let totalInstalled = 0;
+    let aggregatedServers = [];
+
+    for (const p of targetPlatforms) {
+        const result = writeMcpWithSecretsToPlatformConfig(
+            p.mcpConfigPath, allServers, resolvedSecrets, p.name
+        );
+        totalInstalled += result.installed;
+        // Use server results from last platform (they're the same servers)
+        if (result.servers.length > 0) {
+            aggregatedServers = result.servers;
+        }
+    }
+
+    return { installed: totalInstalled, servers: aggregatedServers };
+}
+
 module.exports = {
     getMcpServersDir,
     validateMcpConfig,
@@ -276,5 +361,6 @@ module.exports = {
     collectBitwardenEnvs,
     installMcpServers,
     installMcpServersWithSecrets,
+    writeMcpToPlatformConfig,
     SKIP_FOLDERS,
 };

package/scripts/platforms.js

@@ -32,6 +32,15 @@ const SUPPORTED = [
     get commandsPath() {
       return path.join(HOME, this.configDir, this.commandsDir);
     },
+    get mcpConfigPath() {
+      if (process.platform === "darwin") {
+        return path.join(HOME, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+      } else if (process.platform === "win32") {
+        return path.join(process.env.APPDATA || "", "Claude", "claude_desktop_config.json");
+      } else {
+        return path.join(HOME, ".config", "Claude", "claude_desktop_config.json");
+      }
+    },
     detect() {
       return fs.existsSync(this.configPath);
     },

package/scripts/postinstall.js

@@ -7,6 +7,26 @@
 
 const platforms = require("./platforms");
 
+// Bitwarden MCP: Tools to disable (org management, device approval, sends, etc.)
+const BITWARDEN_DISABLED_TOOLS = [
+  "lock", "sync", "status", "confirm",
+  "create_org_collection", "edit_org_collection", "edit_item_collections", "move",
+  "device_approval_list", "device_approval_approve", "device_approval_approve_all",
+  "device_approval_deny", "device_approval_deny_all",
+  "create_text_send", "create_file_send", "list_send", "get_send",
+  "edit_send", "delete_send", "remove_send_password",
+  "create_attachment",
+  "list_org_collections", "get_org_collection", "update_org_collection", "delete_org_collection",
+  "list_org_members", "get_org_member", "get_org_member_groups",
+  "invite_org_member", "update_org_member", "update_org_member_groups",
+  "remove_org_member", "reinvite_org_member",
+  "list_org_groups", "get_org_group", "get_org_group_members",
+  "create_org_group", "update_org_group", "delete_org_group", "update_org_group_members",
+  "list_org_policies", "get_org_policy", "update_org_policy",
+  "get_org_events", "get_org_subscription", "update_org_subscription",
+  "import_org_users_and_groups"
+];
+
 function main() {
   console.log("\n╔═══════════════════════════════════════════════════════════════╗");
   console.log("║               AI Agent Config Installed!                      ║");
@@ -73,24 +93,7 @@ function main() {
             BW_CLIENT_ID: "${BW_CLIENT_ID}",
             BW_CLIENT_SECRET: "${BW_CLIENT_SECRET}",
           },
-          disabledTools: [
-            "lock", "sync", "status", "confirm",
-            "create_org_collection", "edit_org_collection", "edit_item_collections", "move",
-            "device_approval_list", "device_approval_approve", "device_approval_approve_all",
-            "device_approval_deny", "device_approval_deny_all",
-            "create_text_send", "create_file_send", "list_send", "get_send",
-            "edit_send", "delete_send", "remove_send_password",
-            "create_attachment",
-            "list_org_collections", "get_org_collection", "update_org_collection", "delete_org_collection",
-            "list_org_members", "get_org_member", "get_org_member_groups",
-            "invite_org_member", "update_org_member", "update_org_member_groups",
-            "remove_org_member", "reinvite_org_member",
-            "list_org_groups", "get_org_group", "get_org_group_members",
-            "create_org_group", "update_org_group", "delete_org_group", "update_org_group_members",
-            "list_org_policies", "get_org_policy", "update_org_policy",
-            "get_org_events", "get_org_subscription", "update_org_subscription",
-            "import_org_users_and_groups"
-          ],
+          disabledTools: BITWARDEN_DISABLED_TOOLS,
         };
         changed = true;
         console.log("🔐 Bitwarden MCP server added to Antigravity (✓ enabled)");
@@ -110,24 +113,7 @@ function main() {
 
         // Phase 4: Add disabledTools if not present (don't override if user customized)
         if (!bw.disabledTools) {
-          bw.disabledTools = [
-            "lock", "sync", "status", "confirm",
-            "create_org_collection", "edit_org_collection", "edit_item_collections", "move",
-            "device_approval_list", "device_approval_approve", "device_approval_approve_all",
-            "device_approval_deny", "device_approval_deny_all",
-            "create_text_send", "create_file_send", "list_send", "get_send",
-            "edit_send", "delete_send", "remove_send_password",
-            "create_attachment",
-            "list_org_collections", "get_org_collection", "update_org_collection", "delete_org_collection",
-            "list_org_members", "get_org_member", "get_org_member_groups",
-            "invite_org_member", "update_org_member", "update_org_member_groups",
-            "remove_org_member", "reinvite_org_member",
-            "list_org_groups", "get_org_group", "get_org_group_members",
-            "create_org_group", "update_org_group", "delete_org_group", "update_org_group_members",
-            "list_org_policies", "get_org_policy", "update_org_policy",
-            "get_org_events", "get_org_subscription", "update_org_subscription",
-            "import_org_users_and_groups"
-          ];
+          bw.disabledTools = BITWARDEN_DISABLED_TOOLS;
           changed = true;
           console.log("🎛️  Bitwarden MCP: Added tool filters (disabled org-management tools)");
         }

package/scripts/secret-manager.js

@@ -124,13 +124,14 @@ async function promptPassword() {
 /**
  * Unlock Bitwarden vault with password
  * Returns session key or null if failed
- * Uses spawnSync to avoid shell injection
+ * Uses --passwordenv to pass password securely (not visible in process list)
  */
 function unlockBitwarden(password) {
     try {
-        // Use positional password argument for compatibility with older Bitwarden CLI versions
-        // Since we use spawnSync without shell: true, the password doesn't leak into shell history
-        const result = spawnSync("bw", ["unlock", password, "--raw"], {
+        // Use --passwordenv to avoid leaking password in /proc/<pid>/cmdline
+        // Set password in env only for this child process
+        const result = spawnSync("bw", ["unlock", "--passwordenv", "BW_UNLOCK_PASSWORD", "--raw"], {
+            env: { ...process.env, BW_UNLOCK_PASSWORD: password },
             encoding: "utf-8",
         });